MS Security Advisory: Disable Desktop Gadgets

BajaBoojum · ‎05-29-2008

Microsoft issued a Security Advisory on July 10 strongly recommending all Vista/Windows 7 users disable desktop/sidebar gadgets (Advisory 2719662). They believe they are vulnerable to exploitation.

I assume NIS offers the same level of protection against gadget exploitation as any other risk. I'm interested to know if anyone has more insight and if following typical safe practices and using only trusted gadgets is an acceptable risk.

Krusty13 · ‎05-31-2011

Very interesting!

I can not speak with any authority, but it appears the focus is on "insecure" gadgets. Here are the FAQ from the Microsoft Advisory. http://technet.microsoft.com/en-us/security/advisory/2719662#section4

Frequently Asked Questions

What is the scope of the advisory? The purpose of this advisory is to notify customers that Microsoft is aware of vulnerabilities in insecure Gadgets affecting the Windows Sidebar on supported versions of Windows Vista and Windows 7.

What caused the issue? The issue is caused when Gadgets, running in the Windows Sidebar, contain vulnerabilities that can be leveraged by an attacker.

What might an attacker use the vulnerability to do? An attacker who successfully exploited a Gadget vulnerability could gain the same user rights as a logged-on user. If the user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

How could an attacker exploit the vulnerability? An attacker would have to convince a user to install and enable a vulnerable Gadget.

I could only guess that the gadgets that came with Windows should be secure and it could relate to third party gadgets. That is just my guess though.

Dave.

Windows 7 x64 SP1 N360v20.3.1.22 NU16 SSR 2013 Secunia PSI SpywareBlaster NoScript MBAM free SAS free

Krusty13 · ‎05-31-2011

For those of us that use Windows Gadgets, this may be disappointing - http://www.scmagazine.com.au/Tools/Print.aspx?CIID=308426.

Dave

Windows 7 x64 SP1 N360v20.3.1.22 NU16 SSR 2013 Secunia PSI SpywareBlaster NoScript MBAM free SAS free

Calls · ‎10-07-2009

wow. So does that mean if run the find microsft updates that you will get the update that removes the gadgets from your desktop? And if you install the update all the gadgets will be gone or only non-microsoft gadgets?
I think all my gadgets:
Norton Gadget
Sticky pad
Calander
clock
local weather

all came with the computer (except for the Norton gadget)

yank · ‎12-02-2009

FWIW - here is some addtional information:

Advisory:

http://technet.microsoft.com/en-us/security/advisory/2719662

Fix-it tool mentioned in advisory:

http://support.microsoft.com/kb/2719662

Info on Gadget Gallery being removed:

http://windows.microsoft.com/en-us/windows/downloads/personalize/gadgets?SignedIn=1

Calls · ‎10-07-2009

can one manually disable it? And how would that be done?
Would it have the same result as the Fix-It tool?

Calls · ‎10-07-2009

I've tried finding info on the microsoft answers forums, but not seeing much about this at all. The gadgets on my desktop have been there at least 2 years or longer

Krusty13 · ‎05-31-2011

While it may be true that some third party gadgets could be "insecure", I believe that this is just a scare campaign by Microsoft to stop people using gadgets so they will except Window 8 - which I will not be doing.

Dave.

Windows 7 x64 SP1 N360v20.3.1.22 NU16 SSR 2013 Secunia PSI SpywareBlaster NoScript MBAM free SAS free

huwyngr · ‎04-13-2008

Krusty13 wrote:
While it may be true that some third party gadgets could be "insecure", I believe that this is just a scare campaign by Microsoft to stop people using gadgets so they will except Window 8 - which I will not be doing.

Dave.

Just because that sounds neurotic it doesn't mean you are not right! This from that last reference that Yank gives:

<< Desktop gadgets

Because we want to focus on the exciting possibilities of the newest version of Windows, the Windows website no longer hosts the gadget gallery. >>

Well thank you -- I really like and value the ones I have all of which, except for Norton's, came with the installation of Windows 7

Hugh